Windows Internals
Seventh Edition
Part 1
System architecture, processes,
threads, memory management,
and more
Pavel Yosifovich, Alex Ionescu,
Mark E. Russinovich, and David A. Solomon
PUBLISHED BY
Microsoft Press
A division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2017 by Pavel Yosifovich, Alex Ionescu, Mark E. Russinovich and David A. Solomon
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means
without the written permission of the publisher.
Library of Congress Control Number: 2014951935
ISBN: 978-0-7356-8418-8
Printed and bound in the United States of America.
First Printing
Microsoft Press books are available through booksellers and distributors worldwide. If you need support related
to this book, email Microsoft Press Support at mspinput@microsoft.com. Please tell us what you think of this book at
https://aka.ms/tellpress.
This book is provided “as-is” and expresses the author’s views and opinions. The views, opinions and information
expressed in this book, including URL and other Internet website references, may change without notice.
Some examples depicted herein are provided for illustration only and are ctitious. No real association or connection is
intended or should be inferred.
Microsoft and the trademarks listed at https://www.microsoft.com on the “Trademarks” webpage are trademarks of the
Microsoft group of companies. All other marks are property of their respective owners.
Acquisitions Editor: Devon Musgrave
Editorial Production: Polymath Publishing
Technical Reviewer: Christophe Nasarre
Layout Services: Shawn Morningstar
Indexing Services: Kelly Talbot Editing Services
Proofreading Services: Corina Lebegioara
Cover: Twist Creative • Seattle
To my family–my wife Idit and our children Danielle, Amit, and Yoav–
thank you for your patience and encouragement during this demanding work.
Pavel Yosifovich
To my parents, who guided and inspired me to follow my dreams, and to my family,
who stood by me all those countless nights.
Alex Ionescu
To our parents, who guided and inspired us to follow our dreams.
Mark E. Russinovich and David A. Solomon
iii
Contents
Introduction ..........................................................xi
Chapter 1 Concepts and tools 1
Windows operating system versions .............................................1
Windows 10 and future Windows versions ................................3
Windows 10 and OneCore ................................................3
Foundation concepts and terms .................................................4
Windows API ............................................................4
Services, functions, and routines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Processes ................................................................8
Threads ................................................................18
Jobs ....................................................................20
Virtual memory .........................................................21
Kernel mode vs. user mode ..............................................23
Hypervisor .............................................................27
Firmware ...............................................................29
Terminal Services and multiple sessions ..................................29
Objects and handles ....................................................30
Security ................................................................31
Registry ................................................................32
Unicode ................................................................33
Digging into Windows internals ................................................35
Performance Monitor and Resource Monitor .............................36
Kernel debugging ......................................................38
Windows Software Development Kit .....................................43
Windows Driver Kit .....................................................43
Sysinternals tools .......................................................44
Conclusion ....................................................................44
Chapter 2 System architecture 45
Requirements and design goals ................................................45
Operating system model ......................................................46
Architecture overview .........................................................47
Portability ..............................................................50
Symmetric multiprocessing .............................................51
Scalability ..............................................................53
Differences between client and server versions ...........................54
Checked build ..........................................................57
Virtualization-based security architecture overview .............................59
iv Contents
Key system components .......................................................61
Environment subsystems and subsystem DLLs ............................62
Other subsystems .......................................................68
Executive ...............................................................72
Kernel ..................................................................75
Hardware abstraction layer ..............................................79
Device drivers ..........................................................82
System processes .......................................................88
Conclusion ....................................................................99
Chapter 3 Processes and jobs 101
Creating a process ............................................................ 101
CreateProcess* functions arguments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Creating Windows modern processes ...................................103
Creating other kinds of processes .......................................104
Process internals .............................................................105
Protected processes ..........................................................113
Protected Process Light (PPL) ...........................................115
Third-party PPL support ...............................................119
Minimal and Pico processes ...................................................120
Minimal processes .....................................................120
Pico processes .........................................................121
Trustlets (secure processes) ...................................................123
Trustlet structure ......................................................123
Trustlet policy metadata ...............................................124
Trustlet attributes ......................................................125
System built-in Trustlets ................................................125
Trustlet identity ........................................................126
Isolated user-mode services ............................................127
Trustlet-accessible system calls .........................................128
Flow of CreateProcess ........................................................129
Stage 1: Converting and validating parameters and ags .................131
Stage 2: Opening the image to be executed .............................135
Stage 3: Creating the Windows executive process object .................138
Stage 4: Creating the initial thread and its stack and context .............144
Stage 5: Performing Windows subsystem–specic initialization ..........146
Stage 6: Starting execution of the initial thread ..........................148
Stage 7: Performing process initialization in the context
of the new process ...................................................148
Terminating a process ........................................................154
Image loader .................................................................155
Early process initialization ..............................................157
DLL name resolution and redirection ...................................160
Loaded module database ..............................................164
Import parsing ........................................................168
Post-import process initialization .......................................170